The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s privacy law that governs how personal health information (PHI) is collected, used, and disclosed. For healthcare providers — whether you are a sole proprietor, part of a small clinic, or a healthcare corporation — understanding and complying with PHIPA is not optional, it’s a legal requirement.
PHIPA’s purpose is twofold: to protect the confidentiality of patient health information while allowing the flow of information needed to deliver quality care. It grants patients specific rights, sets strict responsibilities for custodians, and establishes enforcement powers through Ontario’s Information and Privacy Commissioner (IPC).
Purpose of PHIPA
PHIPA is designed to:
- Establish rules for collecting, using, and disclosing PHI.
- Protect patient privacy and confidentiality.
- Grant individuals the right to access and correct their health information.
- Provide independent complaint review by the IPC.
- Offer remedies for violations, including fines and orders to comply.
Key Definitions Under PHIPA
- Health Information Custodian (HIC): Individuals or organizations with custody/control of PHI, including doctors, hospitals, pharmacies, and health service providers.
- Personal Health Information: Identifying information related to a person’s health, healthcare, or eligibility for services.
- Substitute Decision-Maker: Authorized to consent on behalf of another individual regarding their PHI.
Responsibilities of Health Information Custodians
Custodians must:
- Maintain control over PHI until legally transferred.
- Keep PHI accurate, complete, and up-to-date.
- Protect PHI against theft, loss, and unauthorized use.
- Notify individuals promptly if PHI is breached.
- Retain records securely for required periods and dispose of them safely.
- Designate a contact person for compliance and public inquiries.
Consent Rules in PHIPA
- Knowledgeable and Voluntary: Consent must relate to the information and be given freely.
- Express Consent: Required for disclosures to non-custodians or for non-healthcare purposes (e.g., marketing).
- Implied Consent: Allowed in certain healthcare situations, such as within the “circle of care.”
- Lock-Box: Patients can restrict the use or disclosure of specific PHI without express permission.
Collection, Use, and Disclosure
PHIPA limits collection, use, and disclosure to only what is necessary for the intended purpose. Custodians can use PHI for:
- Planning, delivering, and evaluating healthcare programs
- Quality improvement and risk management
- Payment processing and fraud prevention
- Research (with ethics board approval)
- Legal proceedings, public health reporting, and situations involving risk of serious harm
Special Provisions
- Fundraising: Allowed under limited conditions with patient awareness and opt-out options.
- Marketing: Requires express consent.
- Research: Must be approved by a Research Ethics Board and follow strict privacy safeguards.
Electronic and Digital Health Requirements
Custodians using electronic systems must:
- Maintain audit logs tracking access and changes to PHI.
- Implement secure digital health identifier systems with consent.
- Ensure electronic service providers comply with PHIPA rules.
Oversight and Enforcement
The Information and Privacy Commissioner of Ontario can:
- Review and investigate complaints.
- Issue binding orders to custodians.
- Levy administrative penalties.
- Refer offences for prosecution — with fines up to $200,000 for individuals and $1,000,000 for corporations.
Why PHIPA Compliance Matters
Non-compliance can result in:
- Costly fines
- Orders to change your information practices
- Damage to your clinic’s reputation
- Loss of patient trust
Related
